Creating Custom Firewall Rules

Each of the five firewall settings described in chapter 4, Protecting Your Server from Network Attacks, is actually a collection of rules, each of which in turn is defined by naming permitted or forbidden sources, destinations, services and interfaces.

To see your Firewall rules, choose a server, click on VirusBarrier Server 3, then click on the Firewall tab.

By default you see the Simple mode, which doesn't permit you to change the rules or any of their parts. To do that, you need to enter the Firewall screen's advanced mode. To do so, click the Firewall tab and then click Advanced.

WARNING: Changing these settings could dramatically affect your computer's ability to access local networks and the Internet. You should only use advanced mode if you fully understand its effects and how it functions.

In simple mode, clicking any of the five preset firewall settings displays an animation; in advanced mode, you see the details of each setting's rules.

In addition, hovering the cursor over any of the preset settings for a few seconds displays a text that briefly describes what it does.

In this example, the Client, local server setting shown has four rules.

The first allows the local network to access your server through all Connected Services - that is, TCP connections that involve back-and-forth communications, such as serving files from your server.

The second rule, however, forbids such connections from the Internet at large, preventing your server from acting as a server to an unknown computer outside your local network.

The third rule allows all other communications from the Internet to your server.

The fourth rule allows all communications from your server to the Internet.

The five preset firewall settings are "locked" for convenience and stability: you can't change their rules, or the order in which they appear. But VirusBarrier Server 3 gives you two ways to create additional, customized settings: through the program's Firewall Assistant, and manually.

In either case, the first step is to click the + button below the list of settings. You'll see a new setting appear, named "untitled settings". Click it and type any name you prefer, then press Enter or Return to make the change permanent.

Note that you've only created this setting, but have not enabled it yet. It's a good idea to not enable firewall settings until you have finished adding all your rules. To make it the active setting, click the radio button to its left.

VirusBarrier Server 3 contains an assistant to help you create your own custom firewall rules. With this assistant, you can create your own rules with just a few mouse clicks. While not all of VirusBarrier Server 3's rule features are available when you create rules with the assistant, it can cover most of your needs. If you need more customization, you can edit rules manually after creating them with the assistant.

The VirusBarrier Server 3 Assistant walks you through a series of steps to create your rule:

Introduction

Name and Behavior

Communication Direction

Service

Options

Conclusion

To create a new rule using the assistant, click the Assistant button in the bottom-right corner of the window.

The first assistant screen displays.

Click the Next button to begin creating a new rule. You can click the Previous button at any time to return to previous screens, or click Close to exit the Assistant.

Name and Behavior

Enter a name for your rule in the name field, then select the behavior for the rule: Allow data or Deny data. If you select Allow data, the rule will allow data matching its direction and service to pass. If you select Deny data, the rule will block data matching its direction and service.

Communication Direction

This screen lets you choose the communication direction and which host initiates the communication.

First, in the This rule will affect connections with: section, select a remote host. You have four choices for the remote host:

Any other computer: Any computer other than your server.

Computers on my local network: Any computer on the same local network as your server.

Computers on the default AirPort network: Any computer on your default AirPort network, if you have one.

Computers on this custom network: If you have created any custom networks using the standard rule editor, you can select one of them here. (See the "Creating Rules Manually" section to learn how to set up a custom network.)

Next, select the computer that initiates the connection:

My Mac: The computer using this rule.

The other computer: The remote host, as was defined in the first part of this screen.

Service

This screen lets you choose the service that the rule affects.

You can choose from three types of services:

All services: All network services.

TCP services (connected services): Services that require that a connection be open and maintained between two computers, such as HTTP, FTP, Telnet, SSH, POP3, AppleShare, etc. This covers all TCP connections.

This service: You can choose from a list of services that correspond to popular applications and protocols. Select the service you want to use by clicking its name in the list.

Options

This screen lets you choose additional options for your rule.

Two options are available on this screen:

Log rule usage: The firewall records each time this rule is used in its log.

Disable the rule: VirusBarrier Server 3 creates the rule but disables it. You can enable it manually.

Conclusion

This screen creates the rule according to the settings you have selected in the assistant.

This screen offers one final option: if you check Create a rule in the opposite direction, the assistant creates a matching rule with the source and destination switched.

Click Configure to create your rule and exit the assistant.

When you have finished, you will see that your rule (or rules, if you checked Create a rule in the opposite direction) displays in the VirusBarrier Server 3 list of firewall rules.

If you wish to further customize the rule, or edit it, see the section "Editing Rules" in the Working with Rules section, below.

You can quickly create a rule to control information to and from common services and programs. To do so, click the + button at the bottom of the Rule list and hold your mouse button down for a second. You'll be able to choose from a popup list of the most common services. A rule governing your selection then appears in the Rules list.

The Rule Editor lets you create rules of much greater variety and complexity. To see it, click the + button at the bottom of the list of rules.

VirusBarrier Server 3's Rule Editor allows network administrators to quickly and easily define and implement a comprehensive security policy. It is extremely flexible, and allows you to define an unlimited number of rules in seconds. To create a rule, you need to specify details in six areas:

Rule Name, Logging, Evaluation and Schedule

Rule Source

Rule Destination

Rule Service

Rule Interface

Rule Action

Rule Naming, Logging, Evaluation and Schedules

At the top of the Rule Editor is a field where you can name this rule. Just below it is the Log checkbox. If you check the Log box, an entry is added to the VirusBarrier Server 3 log any time this rule acts; a small red dot to the right of the rule's name in the Rules list indicates that the rule is logged. If this box is not checked, this rule is not logged.

If the Log checkbox is checked, the Stop Evaluating Rules checkbox will be available, and is checked by default. These two settings, in tandem, are a powerful way to troubleshoot a network without hampering its traffic.

WARNING: If you can't figure out why some of your rules aren't taking effect, look at the rules above it and ensure that the Stop Evaluating Rules checkbox is off for each of them.

To edit the Schedule, click the Edit... button. The Schedule window displays.

The Default rule state is set to Enabled, which means that your rule is activated. If you set it to Disabled, VirusBarrier Server 3 does not use this rule. You may want to have certain rules active in one configuration, and not another. For more on using configurations, see the "Working with Configurations" section of Chapter 6, Intego VirusBarrier Server 3 Preferences and Configurations.

If your default rule state is Enabled, you can set specific times for the rule to be disabled. If your default rule state is Disabled, you can set specific times for the rule to be enabled.

When you first create a rule, the rule will always be active. If you wish to have the rule enabled or disabled at certain times, select Enabled or Disabled from the popup menu and select one of the time intervals in the list.

Three options are available in addition to Never:

Every Week allows you to change the rule's schedule so it is enabled at a fixed time every week, such as every Monday at 8:00 am.

Every Day enables the rule at a specific time every day.

From allows you to disable or enable the rule for a specific period of time by specifying the beginning and ending time.

You can schedule additional times for rules to be enabled or disabled using the + button. For example, if you need a rule to be disabled only during office hours on Mondays and Tuesdays, you can set these two days in the Schedule window. To remove a scheduled time from the list, click the - button to the right of the item.

Scheduled rules are displayed with a calendar icon in the rule list.

Rule Sources and Destinations

When defining rules, the Source is the entity that sends data; the Destination is where the data goes. You can choose from a list of four sources and destinations for any rule. However, VirusBarrier Server 3 will not allow you to choose the same source and destination for a given rule. (If you try, VirusBarrier Server 3 will correct the error.)

Internet: The Internet, in addition to any local network you may be connected to; effectively, all networks.

You can create new sources and destinations to use in your rules. This allows you to specify exactly which computers you wish to have your server communicate with.

To create a new source, click the + button to the right of the Source or Destination popup menu. In our example, we'll create a new Source; however, once it's created, it will also show up in the list of possible Destinations.

The New Network editor displays.

Enter a name that will help you remember the network. If, for example, you're blocking IP addresses whose last octet is in the range of 100-155, you might name the Source/Destination "IPs from 100-155".

The pop-up menu offers a selection from seven types of network.

Name

Definition

Address Type

Anywhere

Any network.

None, as this source covers all networks.

My Mac

Your computer.

The IP address(es) of your server displays in the Address field, and cannot be changed.

My local network

The local network your computer is connected to.

The IP address(es) of your server and subnet mask of your local network display in the Address field, and cannot be changed.

Machine

A specific IP address.

Any IP address. If you enter a domain name, VirusBarrier Server 3 will resolve it to a single IP address.

Network

A specific network.

Any Subnet IP address and Subnet mask. As above, VirusBarrier Server 3 will resolve domain names to a single IP address.

Address Range

A group of IP addresses.

Beginning and ending addresses. VirusBarrier Server 3 will resolve domain names to a single IP address.

Ethernet ID

A single device connected to the network by Ethernet.

An Ethernet ID, as six two-character hexadecimal numbers.

Rule Services

"Service" refers to a combination of protocol type, port (or ports) used, and protocol-specific criteria. These items, taken together, typically describe a program or class of program that sends and receives information. For example, information sent by the TCP protocol over port 80 using HTTP would be a Web service.

VirusBarrier Server 3 comes with over 50 common services preprogrammed so you can easily stop (or allow) traffic that appears to be of a specific type.

While most preprogrammed Services clearly map to a specific program, some selections in this list such as "Web" pertain to a class of communications instead. Here are some of those non-specific Services:

Name

Description

Settings

All

All communications, regardless of protocol or port.

All protocols, on all ports.

Apple Remote Desktop

A program that allows an administrator Mac to control another Mac over a network connection.

Port 3283 over UDP.

Connected Services

All TCP communications. A TCP session maintains a connection between computers, so it's always clear that it was initiated by the Mac and can therefore be trusted. By comparison, a UDP session is a series of communications without a "memory" of who initiated it.

All TCP communications, on any port.

FTP

File Transfer Protocol.

TCP, ports 20 or 21.

iChat AV

An instant messaging program with video and sound.

Port 5060 over UDP.

IRC

Internet Relay Chat.

TCP on port 194 for IRC, and all TCP traffic between ports 6665 and 6669, inclusive.

A large range of ports with long usage traditions in network communications.

TCP and UDP on all ports from 0 to 1023.

The remaining services are for specific programs or protocols.

Be careful when creating rules for specific services. When you select a service for a specific program, it is possible that this program uses the same port as another program or service. Blocking or authorizing a specific service may conflict with other, more general rules. For example, if you wish to block ICQ traffic, selecting ICQ as a service will also block AOL Instant Messenger traffic since both programs use the same port. Other programs may also share the same ports. If you find that you cannot connect to a given service, or send or receive traffic, try deactivating your rules one by one to see if there is a conflict.

To create a new service, click the + button next in the Service section.

The New Service editor displays.

Four different protocol suites are available from the Protocol pop-up menu: TCP, UDP, ICMP and IGMP. You can also select Any, which covers all protocols.

When you select one of these protocol suites, additional options display in the bottom section of the panel, with a list of services that you can select from. The options depend on the protocol you selected.

TCP or UDP have the following options:

Any port: Affects all ports.

Single Port: Lets you specify a single port either by typing its number or by selecting from over a hundred options in the popup menu. (VirusBarrier Server 3 automatically fills in the correct number when you select from the popup menu.)

Range of Ports: Lets you enter the beginning and ending port numbers that define a range.

ICMP or IGMP have the following options:

Any: Affects all types.

Specific Type: Lets you specify a single value either by typing its number or by selecting from over twenty options in the popup menu. (VirusBarrier Server 3 automatically fills in the correct number when you select from the popup menu.) You can also specify a Code number, if necessary.

For each of these, an option is available to Allow Broadcast Packets. If checked, packets sent to all computers on a local network are included in this service.

Destination Port is a final option, available only for services utilizing the UDP protocol. If it is checked, packets are filtered according to the function of the Destination Port. If left unchecked, packets are filtered according to the function of the source Port.

Rule Interfaces

The Interface is the network adapter that the data passes through. This can be an Ethernet card, a wireless AirPort card, or any other type of network interface.

You can choose from a list of preprogrammed interfaces that exist on your computer, or you can create your own interfaces by clicking the + button.

The New Interface editor displays.

The Type pop-up menu has two options. The first, Any, uses all available network interfaces. The second, Specific, lists those interfaces that are available to you, depending on your computer's hardware and software, and gives you some additional options.

Typical interfaces are:

Airport: Wireless networking

Built-in Ethernet: Wired interface commonly used for networking

Built-in FireWire: Wired interface commonly used for peripherals, such as a hard drive, but which can also be used as a network interface

The BSD Name and Index number are the identifiers used by the Unix layer of Mac OS X. You can set these manually, if you need to. (You probably won't have to, and shouldn't change them if you don't understand what they are.) If other interfaces are present in your server, an Other option will also be available.

Rule Actions

Two actions are possible for any rule: Allow or Deny. Select the action you wish to use for your rule by checking the appropriate radio button, at the bottom of the Rule Editor window.

Multi-Part Sources, Destinations, Services and Interfaces

Rule sources, destinations, services and interfaces can have several parts. You can, for example, dictate that traffic from several specific IP addresses be banned, listing each one separately in a given Source.

When you create or edit a source, destination, service or interface, you see a bar at the top of the window that looks like this:

Create a new part: Click the + button.

Move among parts: Click the arrow icons. Note that the text in the middle will tell you where you are, and how many parts exist in total. When you reach the last part, clicking the right arrow takes you back to the first one.

Delete a part: To delete a part, it must be visible. Click one of the arrow icons until the part you wish to delete is displayed. Click the - button, then confirm the deletion in the dialog box that follows.

Deleting Sources, Destinations, Services and Interfaces

You can delete any sources that you have created. To do so, select the source, and then click the - button.

A dialog box displays, asking if you really want to remove that network. Click Remove to delete the source network, or Cancel if not.

Rule Order

Rules you add to VirusBarrier Server 3's firewall are applied from first to last, so you need to make sure that your rules are in the correct order to function properly.

In this example, the first rule blocks data coming from the Internet (which includes all networks, even a local network). Rule 3 allows traffic from a local network; but since it's in 3rd position, it is not applied; the 1st rule takes precedence. For rule 3 to be applied, it needs to be moved to the top of the rule list. To do this, select the rule and drag it to the appropriate position.

Editing and Deleting Rules

To edit a rule, select the rule by clicking it, then click the button with the pencil icon at the bottom of the list. The Rule Editor will open, and you can make any changes you want to this rule. When you have finished making changes, click OK to save your changes. If you decide you do not want to save the changes, click Cancel.

To delete a rule, click the rule in the list of rules, then click the - button at the bottom of the list.

Using the Rule Contextual Menu

VirusBarrier Server 3 lets you make changes to Firewall Rules quickly through a contextual menu. You can use this contextual menu to add new rules, to edit existing rules, or to change rule characteristics on the fly.

To see this contextual menu, right-click on a rule.

The menu offers the following options:

Copy to Clipboard: Copies the contents of a Rule to the Mac's Clipboard in plain-text format. You can then paste the rule into a document, where it will look something like this: "#02/ON/Input/Any/Internet -> My Mac/All/Deny" (where slashes are tabs).

Insert Standard Set / Add Standard Set: Insert or add a standard set of rules, from the same selection as is found in simple mode: No restrictions, No network, Client, Local Server, Server only, or Client only.

Status: You can toggle the state of a rule, turning it On or Off. If the rule is scheduled to run at certain times, a check mark is displayed next to Scheduled in the submenu.

Behavior: Toggle the behavior of a rule between Allow or Deny traffic.